I have a requirement to use user keys with passphrases on automated scripts. Is there a way I can give the passphrase to use to the SSH Tectia Client?
asked Feb 18 '10 at 09:46
SSH KB ♦
In some circumstances you may be required to to use user keys with Passphrases on automated scripts.
In these cases you may want to pre-load/cache the passphrases for your user keys using the ssh-broker-ctl command.
For more details of the command options please see the link below, and examples provided in this KB article.
First use the list-keys option to find the key ID:
If you get the following message it usually means that the broker isn't started:
[root@dhcp-pool62 ~]# ssh-broker-ctl list-keys -s ssh-broker-ctl: Broker connection failed: Connect failed: No such file or directory(2) / Failed to connect to broker socket `/tmp/ssh-root/ssh-broker'. / Failed to connect to Broker..
If this is the case you can start the broker first:
[root@dhcp-pool62 ~]# ssh-broker-g3Then re-run the "ssh-broker-ctl list-keys" command (if you have a lot of keys you may want to use the "short" -s option to limit the amount of data displayed about the keys):
[root@dhcp-pool62 ~]# ssh-broker-ctl list-keys -s #1 fc77c742134d8f03245220ba36c743066d3157b2 ssh-dss /root/.ssh2/id_dsa_2048_a dsa 2048
Once you know the key number you can use it and the "key-passphrase" command to load the passphrases for the keys:Note: If you would like to load all of your keys' passphrases you can use the --all option as shown in the ssh-broker-ctl man page link mentioned above.
[root@dhcp-pool62 ~]# ssh-broker-ctl key-passphrase 1 Key label: 2048-bit dsa, firstname.lastname@example.org, Tue Dec 29 2009 12:01:47 -0800 File name: /root/.ssh2/id_dsa_2048_a Passphrase for the private key: 1 passphrase protected keys opened.
If you want to script the loading of the passphrases you would likely want to use the --passphrase-file option so that manual interaction is not needed. (Make sure the password files are in a secure location, only accessible to the intended user.)
[root@dhcp-pool62 ~]# ssh-broker-ctl key-passphrase 1 --passphrase-file=testpassphrase.txt 1 passphrase protected keys opened.
If your not running the ssh-broker-ctl command from the same directory simply use the full path.
[root@dhcp-pool62 etc]# ssh-broker-ctl key-passphrase 1 --passphrase-file=/root/testpassphrase.txt 1 passphrase protected keys opened.
Or you can use relative paths:
[root@dhcp-pool62 command]# ssh-broker-ctl key-passphrase 1 --passphrase-file=../passphrases/testpassphrase.txt 1 passphrase protected keys opened.
Windows examples: In current directory:
C:\example>ssh-broker-ctl key-passphrase 1 --passphrase-file=passphrase.txt 1 passphrase protected keys opened.
C:\TEST>ssh-broker-ctl key-passphrase 1 --passphrase-file=..\example\passphrase.txt 1 passphrase protected keys opened.
C:\TEST>ssh-broker-ctl key-passphrase 1 --passphrase-file=C:\example\passphrase.txt 1 passphrase protected keys opened.
Now your connections using the passphrase-loaded user keys will not require user interaction when connections are made until the Tectia connection broker is closed, or the cache is cleared using the --clear option.
answered Feb 18 '10 at 09:50
SSH KB ♦